How to Stop a DDoS Attack in Its Tracks (Case Study)

In our last case study, we showed you how we cleaned up a negative SEO attack on Kinsta. Today we are going to show you some steps and troubleshooting we took to stop a DDoS attack on a small WordPress e-commerce site. DDoS attacks can come out of nowhere and smaller sites are usually even more vulnerable, as they aren’t prepared to deal with it when it happens. Let us ask you this question. If your site was attacked tomorrow, what would you do? If you don’t have any ideas, then perhaps you should bookmark and read this article.

What is a DDoS Attack?

DDoS is short for distributed denial of service. The primary purpose of a DDoS attack is to simply overwhelm your web server and either cripple it or take it down. One of the frustrating things with these types of attack is generally the attacker doesn’t gain anything and typically nothing is hacked. The big problem with DDoS attacks is with the overwhelming load associated with it. Most likely you will also see your bandwidth spike to an incredible amount, and this could cost you hundreds or even thousands of dollars. If you are on a cheaper or shared host, this can easily result in a suspension of your account.

On October 21, 2016, the largest DDoS attack (DNS related) in history occurred, bringing down large companies such as PayPal, Spotify, Twitter, Reddit, and eBay. Some even called it the DNS Doomsday of the internet. As the web continues to grow it’s not surprising that DDoS attacks are on the rise at an alarming rate. In fact, according to data provided from easyDNS, DDoS attacks over time are getting much worse. For a lot of sites, it might just be a matter of time until you are hit.

According to a report from @Link11GmbH, DDoS attack volume rose 50% in Q2 2018! 😨
Click to Tweet

Here at Kinsta, we’re generally able to fend off more attacks than cheaper hosts, simply because of additional security precautions we have in place. But we also recommend utilizing companies out there that have large infrastructures and software built specifically to thwart off DDoS attacks. We will always be supporters of letting the experts do what they are best at. Cloudflare and Sucuri are two we recommend for WordPress users or any type of platform. Investing in decent DDoS protection can save you time, money, and frustration down the road.

Stopping a DDoS Attack on a Small EDD Site

In this case study, we had a small WordPress e-commerce site which was running Easy Digital Downloads. The site typically only generated between 30-40 MB a day in bandwidth and a couple hundred visitors per day. Back in June, it started using a lot of bandwidth out of the blue, without Google Analytics showing any additional traffic. The site instantly went to between 15-19 GB of data transfer a day! That’s an increase of 4650%. Not good. And it’s definitely not just a little increase in bot traffic. Thankfully, the owner was able to quickly spot this in Kinsta’s Analytics.

High bandwidth usage on WordPress site

After seeing the increase, it was a matter of checking the server logs to investigate what was happening. These types of things can easily spin out of control. The past 7 days showed that the site’s /account/ page had been requested 5,110,00 times and produced a total of 66 GB of traffic. That is from a site that typically generates a little over 1 GB of total data in an entire month. So instantly we knew something was up.

Analyzing the top 10 client IPS for the last 7 days to the site instantly showed some suspicious activity. A majority of them had over 10,000 requests, and there were quite a few. Remember, this is a small site which only should be getting a couple thousand requests total per month.

Top 10 client IPs (blocked out for security purposes)

You can always rely on Google to provide you with data. Entering in a couple of the top IPs into search, we could easily see that most of them were all proxy addresses, meaning someone was most likely wanting to hide their traffic.

Proxy IP

Changing URLs

The very first thing we did was actually change the /account/ page URL to something different. This is always a good first measure. However, this only stopped the attack for a short period of time, until they discovered the new URL. Remember, because this is an e-commerce site, it must have a public account page. Obviously on a blog alone, changing the WordPress login URL and hiding it completely will stop a lot of these types of attacks, but that wouldn’t work in this case. We call it WordPress Security by obscurity.

Hacking or Brute-Force Attempts?

Another thing you can confirm in these situations is that it isn’t a hacking attempt, which in this case it wasn’t. WP Security Audit Log is a great plugin to quickly monitor and see if there are any invalid login attempts on a page. You can also check your logs to see if there are any POST actions happening in a large quantity. This appeared to be a classic DDoS attack in which they simply send a bunch of traffic to one portion of the site to try and overwhelm it.

IP Blocking

If you are running on your own server, the next step would probably be to install an IP blocking or firewall plugin such as WordFence. However, just like most other managed WordPress hosts, we don’t allow plugins like that here at Kinsta. For a couple of reasons. First of all, they can have a huge effect on your performance, especially the scanning capabilities. Second, we utilize load balancers with Google Cloud Platform, which means a lot of time their IP blocking functionality wouldn’t work as intended.

Therefore, we built our own tool. You can now easily block IP addresses manually using the IP Deny tool in the MyKinsta dashboard. Or you can always reach out to our support team as we also support geoblocking.

IP Deny tool

However, depending upon the length and scale of the attack, this could be a never-ending process of blacklisting IPs, which in most cases doesn’t solve the problem fast enough. A lot of DDoS attacks when blocked in one area, will simply pop up in another, or change IPs and proxy addresses. So in this instance, it makes sense to take advantage of a DDoS solution which could help automate the process with their already built-in rules compiled from years worth of data.

Moving the Site to Cloudflare Didn’t Help

A lot of times Cloudflare does a decent job of stopping some basic bot traffic, but when it comes to the free plan, their DDoS protection isn’t the greatest. In fact, we moved the site to Cloudflare and it resulted in even more suspicious traffic hitting the site. Although we think this was simply due to the attack increasing their efforts. As seen below it was getting up to the point of almost 50,000 requests per hour. Their CDN portion works great, but if you need more, you will most likely need to pay.

Cloudflare requests

We then implemented “Rate limiting” on the site. Rate limiting allows you to create rules based traffic matching a URL and then block/limit it based on activity. This can be enabled on the free plan, and costs $0.05 per 10,000 requests. However, at the rate we were seeing requests, it would have been about 36 million requests per month, which would have cost $180 a month by itself. So obviously, that was not a solution that was fixing the problem. And yes, we did try all types of pattern rules.

IP rate limiting

Note: Rate Limiting is billed based on the number of good (not blocked) requests that match your defined rules across all your websites. But in this case, it wasn’t working.

The next step, which we knew was already coming, was to look into an actual web application firewall. Many users don’t realize this, but Cloudflare’s free plan doesn’t include this. And this is almost required to stop DDoS attacks nowadays. So the next option would be to upgrade to Cloudflare’s pro plan at $20/month. However, this is where you should take some time and compare other third-party solutions.

Free is not always better, whether it is for DDoS protection or #WordPress hosting. ?
Click to Tweet

Comparing Cloudflare to Sucuri

In our opinion, two of the best solutions out there right now for web application firewalls that are easy to implement for any type of site is Cloudflare and Sucuri. Note: We aren’t affiliated with either of these companies. However, if you really look into these you will see that Sucuri is perhaps a much better bang for your buck. Let’s take a look, as they both have $20/month plans.

Cloudflare

With Cloudflare’s Pro plan you only get Advanced DDoS Protection at Layers 3 and 4 (read more about layer 3 and 4 DDoS attacks). This will help to automatically stop TCP SYN, UDP and ICMP attacks on their edge servers, so they never reach your origin server. To get layer 7 protection you have to upgrade to the $200/month plan. Remember, that this is a very small e-commerce site, so $200/month would be quite costly, on top of their hosting fees.

Sucuri

With Sucuri’s $20/month plan, you get Advanced DDoS Protection at layers 3 and 4, along with layer 7. This helps to automatically detect sudden changes in traffic and protects against POST floods and DNS-based attacks, so they never reach your origin server. So right off the bat, you are probably going to see better DDoS mitigation with Sucuri. And in this case, we wanted layer 7 for HTTP flood attacks.

An HTTP flood attack is a type of Layer 7 application attack that utilizes the standard valid GET/POST requests used to fetch information, as in typical URL data retrievals (images, information, etc.) during SSL sessions. An HTTP GET/POST flood is a volumetric attack that does not use malformed packets, spoofing or reflection techniques. – Sucuri

Sucuri also offers load balancing in its $70/month plan whereas Cloudflare has quite a few fees attached to different aspects of their load balancing feature, such as usage-based pricing, whether you want geo-load balancing, etc.

Both of them have similar features such as being able to add challenges to certain pages, blacklisting IPs, etc. However, as far as DDoS protection goes, Sucuri offers more. We also really like the IP blacklisting UI in Sucuri and how certain things are setup vs Cloudflare.

And remember, no company can promise you 100% DDoS protection, all they can do is help you automatically mitigate it.

Moving the Site to Sucuri

Moving your site to Sucuri is pretty easy. Just like Cloudflare, there isn’t technically anything you need to install, as it acts as a full proxy service. This means you are pointing your DNS to them, and then they are pointing to your host. And essentially the web application firewall (or WAF) sits in the middle.

Their dashboard in our opinion isn’t as flashy or modern looking as Cloudflare, but when it comes to a WAF, you really should just be caring about how well it works. As you can see below, basically it detects your current hosting IP, and they provide you with a Firewall IP. This is what you point your DNS to (A name record + AAAA record).

Sucuri dashboard

You can be up and running on Sucuri in a matter of minutes. Which is good in case of a current DDoS attack. The only wait time really is DNS propagation. They include an HTTP/2 Anycast CDN as well. So it is more than just a firewall. It can also help speed up your WordPress site. But you can also optionally use your own CDN such as KeyCDN with Sucuri just fine.

Struggling with downtime and WordPress problems?

Kinsta provides an all-in-one hosting solution designed to save you time! Let us handle the nitty-gritty stuff (caching, backups, etc.), and you focus on what you do best, which is growing your business.

They include a free SSL cert with Let’s Encrypt or you can upload your own. One downfall is that Let’s Encrypt isn’t automated, you do have to open a ticket. But their custom SSL cert process is fast. Another tip for performance is that you might want to enable the site caching option. This will honor your origin server’s cache instead of using Sucuri’s. Most likely you have caching setup on your WordPress host they way you want it already.

Sucuri site caching

Advance Security Options

Under the security screen you can easily block all XML-RPC traffic, aggressive bots, enable additional security headers like HSTS, and much more. Note: XML-RPC traffic was already blocked on this particular site.

Sucuri advanced security options

Real-Time View

One thing we really like was their real-time DDoS protection view. You can easily go into it and see an entire log of current requests. You can one-click blacklist or whitelist anything suspicious, and it will even give you a reason if it was already blocked.

DDoS protection real-time

Other Useful Reports

There are a lot of other useful reports, such as the blocked attacks chart. This allows you to quickly see a percentage of what types of attacks are being blocked, including DDoS attacks. Some other charts in this window include traffic by browser type, devices, and HTTP response codes.

DDoS protection real-time

The average traffic per hour chart is handy to see when the peak times are for your traffic and a ratio of requests being blocked.

Average traffic per hour

The traffic by country table can help you determine if something is coming from one specific geolocation. Under their access controls, you can then easily block an entire country temporarily with a single click.

Traffic by country

Other features under Access Control include the ability to whitelist and blacklist IPs and paths, block user-agents, block cookies, block HTTP referrers, and also protect a certain page with a captcha, two-factor, or simple password.

Sucuri access control

Did Sucuri help our small WordPress e-commerce site? In fact, an hour after the DNS finished propagating, all of the bandwidth and requests instantly dropped on the site (as seen below) and there hasn’t been a single issue since. So definitely a good investment and time saver if you are running into issues like these.

Added Sucuri web application firewall

And here is how the site looked a while after the move to Sucuri. As you can see it is now back down to its original 30-40 MB of data transfer per day.

Low bandwidth usage

Even if you aren’t under an attack, perhaps you are just wanting an easier way to keep bots from stealing your host’s bandwidth. They helped WP Beginner block over 450,000 attacks in 3 months. We also noticed an interesting comment on that post:

We are getting hit hard by SPAM bots located on Amazon AWS and Google Cloud. Do you know if Sucuri firewall can help with that? We currently use WPEngine which has a built-in firewall (not blocking anything) and CloudFlare (also not blocking the spam) we are running out of options and really hope Sucuri can help. – AJ

If you have already tried other solutions, perhaps give Sucuri a try. And don’t get us wrong, Cloudflare is still a great solution for a lot of sites, as we recommend them to most of our clients. Their higher paid plans at $200/month most likely would have also mitigated the attack just fine. However, it’s always good to know about other solutions out there. Especially if you are on a budget.

Summary

Hopefully, the above information gives you a little more insight on how to stop a DDoS attack. This is of course just one of many different ways you could approach the situation. But if you’re already in panic mode, usually migrating to either Cloudflare or Sucuri can get you back up and running smooth in no time. If you are just trying to save money on bandwidth from spam bots, a web application firewall can also be a very effective solution.

What are your thoughts on Cloudflare vs Sucuri? Also, do you like seeing these case studies with live data? If so, let us know below as this helps us decided what type of content we should publish in the future.

If you enjoyed this article, then you'll love Kinsta’s WordPress hosting platform. Turbocharge your website and get 24x7 support from our veteran WordPress team. Our Google Cloud powered infrastructure focuses on auto-scaling, performance, and security. Let us show you the Kinsta difference! Check out our plans

Hand-picked related articles

Comments

Comment policy: We love comments and appreciate the time that readers spend to share ideas and give feedback. However, all comments are manually moderated and those deemed to be spam or solely promotional will be deleted.

Thank you Brian for the detailed rundown and for this amazing true story of how you were able to employ Sucuri to help your customer.
I met Sucuri in december 2014, when our charity website was hacked and I was looking for a company that would fix it without me and my kids needing to sell our house to be able to afford the invoice :)
I found Sucuri – liked it so much I eventually joined the company.

Thanks for the comment. Actually, because of HTTP/2, combining files will actually in most cases slow your site down now. We have a great article here about HTTP/2: https://kinsta.com/learn/what-is-http2/

Hey Dave, WordFence has its pros and cons. It actually isn’t allowed on hosts such as Kinsta or WP Engine. Many managed WordPress hosts utilize load balancers in which blocking IPs with the plugin actually wouldn’t work. WordFence also has performance issues, although some of this can be fixed if you are careful with the live scanning feature, etc.

But for some hosts, yes, it would definitely help. Just wasn’t an option in this scenario.

Here at Kinsta if we see a DDoS attack happening our engineers will know it right away and we’ll work with the client instead of just charging crazy overage fees at the end of the month. This could involve banning IPs on our end or if needed moving the site behind Cloudflare or Sucuri who have dedicated infrastructures specifically made to mitigate DDoS attacks.

We do utilize Google Cloud Platform and their “premium tier” network for hosting, but our environment is also set up in a different way than if you were to simply launch a GCP VM directly. You can read more about our security here: https://kinsta.com/secure-wordpress-hosting/

We always recommend third-party solutions such as Cloudflare or Sucuri if you need additional protection.

Follow us

A cookie is a piece of information that a website stores on a visitor’s computer. We use this for some functionality on our website to work properly, collecting analytics to understand and improve a visitor’s experience, and for personalized advertising. You can accept all cookies at once or fine-tune your preferences in the cookie settings.

Cookie settings

Accept cookies

Thanks, we've saved your settings, you can modify them any time on the cookie settings page

Cookie settings

Necessary cookies

Details

These cookies are needed for our website to function providing payment gateway security and other essentials. Therefore they are always on but they do not contain personally identifiable information (PII).

Name

Purpose

Cookie Settings

If you've set preferences (which cookies you accept and which you don't) we store your preferences here to make sure we don't load anything that you didn't agree to.

WordPress Cookies

WordPress sets a couple of cookies that track logged in users and store user preferences set in their WordPress user profile. These are set for members of the Kinsta website only - members of our staff.

Stripe

Stripe is our payment provider and they may set some cookies to help them with fraud prevention and other issues. This is required for our payments to work.

Affiliate cookie

This cookie contains information about the affiliate who refered a visitor. The cookie contains no information about the visitor whatsoever.

Google Analytics

Analytics help us deliver better content to our audience. We have made sure no personally identifiable information (PII) is sent by anonymizing IPs.

Newsletter Participation

If you sign up for our newsletter we'll remove the newsletter subscription box for you. This cookie has not personal data it just indicates if you have signed up.

Analytics cookies

Details

Analytics cookies allow us to gather data to help us better understand our visitors and offer them a better experience.

Select

Provider

Purpose

Google Optimize

Set and used by Google. It allows us to A/B test our content to make sure we're providing visitors with what they need most.

Marketing cookies

Details

Marketing cookies help us target our ads better. We mainly use them to target ads to users who have visited Kinsta.

Select

Provider

Purpose

Twitter

Set and used by Twitter, used for targeting advertisements and promoting content to users who have visited kinsta.com.

LinkedIn

Set and used by LinkedIn, used for targeting advertisements and promoting content to users who have visited kinsta.com.

Facebook

Set and used by Facebook, used for targeting advertisements and promoting content to users who have visited kinsta.com.

AdWords

Set and used by Google Ads for remarketing, personalization, and targeting advertisements to users who have visited kinsta.com. (Google Ads Settings)

Bing

Set and used by Bing Ads for remarketing, personalization, and targeting advertisements to users who have visited kinsta.com. (Bing Ads Settings)

Quora

Set and used by Quora, used for targeting advertisements to users who have visited kinsta.com.